Government agencies that deal with cybersecurity, like the National Security Agency, have two competing interests. On the one hand, they want to protect America's online infrastructure and economy from cyberattacks. On the other hand, government agencies want to harness tools to attack opponents in cyberspace.
These goals come into conflict when government agencies discover or buy flaws in software, called "zero day" exploits, that the software's makers don't know about. The government can inform the company so the flaw can be patched or it can save the secret weakness in order to use it to launch attacks against enemies.
There's a catch to hoarding the software flaws though: That same exploit could end up being used against Americans if hackers discover the flaw on their own.
It's with this conflict in mind that the White House rolled out new guidelines on Wednesday for the process it will use to decide when to inform tech companies about vulnerabilities discovered in their software, and when agencies will decide to keep something classified.
There's a "tension between the government's need to sustain the means to pursue rogue actors in cyberspace through the use of cyber exploits, and its obligation to share its knowledge of flaws in software and hardware with responsible parties who can ensure digital infrastructure is upgraded and made stronger in the face of growing cyber threats," White House Cybersecurity Coordinator Rob Joyce wrote in announcing the guidelines.
The Vulnerabilities Equities Process Charter lays out what to do once a vulnerability is both "newly discovered and not publicly known" (emphasis theirs).
Representatives from several federal agencies, including the departments of Treasury, State, Justice, Homeland Security, Energy, Defense, Commerce and the CIA will be part of a board to consider the benefits and drawbacks of releasing or keeping a flaw secret.
Officials will consider factors like how widely a product is used, how likely hackers are to discover the flaw, how much damage it can do, and how easily it can be patched. They'll also weigh how valuable an exploit is for gathering intelligence or helping law enforcement, and its effect on the government's relationship with businesses.
The 14-page document also explains the process for resolving disputes when agencies disagree over what to do.
If the government ends up deciding to inform the manufacturer, "dissemination will be made in the most expeditious manner and when possible within 7 business days," the charter says.
The Electronic Frontier Foundation, a group advocating online privacy and civil liberties, called the guidelines "affirmative steps," but they "still have concerns over potential loopholes in the policy."
Former Defense Department officials Kate Charlet and Sasha Romanosky, along with Bert Thompson of the Carnegie Endowment for International Peace, called the announcement "a positive step toward increasing transparency on this controversial process" in a post on the Lawfare blog.